[Oisf-users] Suricata 1.3.4 problem

Victor Julien lists at inliniac.net
Thu Dec 6 07:34:50 UTC 2012 

On 12/06/2012 02:05 AM, Martin Holste wrote:
> Probably the flow timeouts as discussed earlier this week on the list. 
> Try out my aggressive flow timeout example and see if that fixes it.

Also, please try the soon to be 1.3.5 git master:
https://github.com/inliniac/suricata/tree/master-1.3.x

It fixes a serious memleak in exactly this area.

Cheers,
Victor

> 
> On Wed, Dec 5, 2012 at 5:53 PM, Paul Halliday <paul.halliday at gmail.com
> <mailto:paul.halliday at gmail.com>> wrote:
> 
>     Hi,
> 
>     Not quite sure whats happening but Suricata stops generating alerts
>     after about 30 minutes of operation. Bandwidth during this test never
>     peaked above 50. Running on FreeBSD 9.1
> 
> 
>     MEM and CPU for the process (~30 second interval):
> 
>     1354748069,804M,26.37%
>     1354748099,807M,25.15%
>     1354748129,812M,31.10%
>     1354748159,818M,26.76%
>     ...
>     1354749629,1061M,27.25%
>     1354749659,1065M,24.27%
>     1354749689,1069M,26.12%
>     1354749719,1089M,26.12%
>     1354749749,1090M,36.38%
>     1354749779,1092M,108.30%
>     1354749809,1095M,108.11%
>     1354749839,1098M,108.06%
>     1354749869,1098M,196.78%
>     1354749899,1098M,200.00%
>     1354749929,1098M,200.00%
>     1354749959,1098M,200.00%
>     1354749989,1098M,200.00%
> 
>     In around the spike from 36 to 108 utilization Suricata throws this:
> 
>     5/12/2012 -- 19:21:50 - <Info> - Flow emergency mode over, back to
>     normal... unsetting FLOW_EMERGENCY bit (ts.tv_sec: 1354749710,
>     ts.tv_usec:449629) flow_spare_q status(): 38% flows at the queue
> 
>     A knob I need to turn somewhere?
> 
>     Thanks!
> 
>     --
>     Paul Halliday
>     http://www.pintumbler.org/
>     _______________________________________________
>     Suricata IDS Users mailing list:
>     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     Site: http://suricata-ids.org | Support:
>     http://suricata-ids.org/support/
>     List:
>     https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     OISF: http://www.openinfosecfoundation.org/
> 
> 
> 
> 
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list